Skip to content

quantum5/django-csp-advanced

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

django-csp-advanced Build Status Coverage

A powerful Content-Security-Policy (CSP) middleware for Django. This CSP middleware supports using a dictionary syntax for CSP, and using callables taking arguments (request, response) to fill in parts of the dictionary.

For example, the following settings.py configuration:

ADVANCED_CSP = {
    'block-all-mixed-content': True,
    'frame-src': ['none'],
    'plugin-types': ['application/pdf'],
    'report-uri': '/dev/null',
    'sandbox': ['allow-scripts'],
    'script-src': ['self', 'https://dmoj.ca'],
    'style-src': lambda request, response: ['self'],
    'upgrade-insecure-requests': False,
}

generates this CSP (order may differ based on dictionary hashing):

style-src 'self'; script-src 'self' https://dmoj.ca; frame-src 'none'; plugin-types application/pdf; block-all-mixed-content; sandbox allow-scripts; report-uri /dev/null

Another feature is the ability to augment or replace the CSP from views:

def view(request):
    response = HttpResponse()
    response.csp = {'script-src': ['https://ajax.googleapis.com']}
    return response

This will add https://ajax.googleapis.com to the list of origins listed for script-src to result in something like:

...; script-src 'self' https://dmoj.ca https://ajax.googleapis.com; ...

You can use 'override': True to replace the CSP instead:

def view(request):
    response = HttpResponse()
    response.csp = {'script-src': ['self'], 'override': True}
    return response

This will replace the CSP with script-src 'self'.

You can also set csp_report on the response to add entry to the report-only CSP. Note that neither csp or csp_report has any effect if their global version is disabled. However, csp will be used to populate Content-Security-Policy-Report-Only if there is no enforced CSP policy configured, but there is a report-only policy.

Installation

First, install the module with:

$ pip install django-csp-advanced

Or if you want the latest bleeding edge version:

$ pip install -e git://github.com/quantum5/django-csp-advanced.git

Then, add 'csp_advanced' to INSTALLED_APPS and 'csp_advanced.middleware.AdvancedCSPMiddleware' to 'MIDDLEWARE' or 'MIDDLEWARE_CLASSES' depending on your setup.

Finally, use either a dictionary or a callable taking request, response as either ADVANCED_CSP or ADVANCED_CSP_REPORT_ONLY.

Examples:

ADVANCED_CSP = lambda request, response: {'script-src': ['self']}

ADVANCED_CSP_REPORT_ONLY = {'script-src': ['self']}

ADVANCED_CSP = {'style-src': lambda request, response: ['self']}

You get the idea.